Lucene search
+L

69338 matches found

Nuclei
Nuclei
added 11 hours ago114 views

Hash Form <= 1.1.0 - Arbitrary File Upload

The Hash Form Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fileuploadaction' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on...

9.8CVSS9.3AI score0.50653EPSS
Exploits8References3
Nuclei
Nuclei
added 11 hours ago660 views

Chamilo LMS <= 1.11.24 - Remote Code Execution

Unrestricted file upload in big file upload functionality in /main/inc/lib/javascript/bigupload/inc/bigUpload.php in Chamilo LMS = v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell. id: CVE-2023-422...

8.1CVSS7.6AI score0.76084EPSS
Exploits27References4
Nuclei
Nuclei
added 11 hours ago233 views

Studio-42 elFinder <2.1.60 - Arbitrary File Upload

Studio-42 elFinder 2.0.4 to 2.1.59 is vulnerable to unauthenticated file upload via connector.minimal.php which could allow a remote user to upload arbitrary files and execute PHP code. id: CVE-2021-43421 info: name: Studio-42 elFinder 2.1.60 - Arbitrary File Upload author: akincibor severity:...

9.8CVSS8.8AI score0.42781EPSS
Exploits1References4
Cvelist
Cvelist
added 12 hours ago9 views

CVE-2026-13352 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content <= 4.16.18 - Authenticated (Author+) Limited Unsafe File Upload via upload_mimes Filter Expansion

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 4.16.18 via the allowedmimetypes function. This is due to the unconditional...

8.8CVSS
Exploits0References8
EUVD
EUVD
added 12 hours ago6 views

EUVD-2026-45134

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 4.16.18 via the allowedmimetypes function. This is due to the unconditional...

8.8CVSS6.5AI score
Exploits0References8
CVE
CVE
added 12 hours ago8 views

CVE-2026-13352

The ProfilePress/ Paid Membership plugin for WordPress (up to version 4.16.18) is vulnerable to Arbitrary File Upload via the allowed_mime_types/upload_mimes filter expansion. A filter is registered globally on every request, unconditionally adding executable extensions (.exe, .apk, .msi) to the ...

8.8CVSS6.5AI score
Exploits0References8
CVE
CVE
added 16 hours ago5 views

CVE-2026-62216

OpenClaw 2026.4.20 before 2026.5.28 contains a policy bypass in the QQBot media upload feature that could allow a lower-trust caller or configured input path to reach network destinations blocked by policy (server-side request forgery). Practical impact depends on operator configuration and wheth...

5CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 16 hours ago5 views

EUVD-2026-45104

OpenClaw 2026.4.20 before 2026.5.28 contain a policy bypass in the QQBot media upload feature. A lower-trust caller or configured input path could cause the media upload to reach network destinations that should have been blocked by OpenClaw policy server-side request forgery. The practical impac...

5CVSS6.1AI score
Exploits0References2
Nuclei
Nuclei
added yesterday103 views

Apache ActiveMQ Fileserver - Arbitrary File Write

Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request via the Fileserver web application. id: CVE-2016-3088 info: name: Apache ActiveMQ Fileserver - Arbitrary File Write author: fqhsu severity: critical...

9.8CVSS7.3AI score0.98518EPSS
Exploits19References5
Nuclei
Nuclei
added yesterday20 views

Qualitor <= 8.24 - Remote Code Execution

Qualitor up to 8.24 is vulnerable to Remote Code Execution RCE via Arbitrary File Upload in checkAcesso.php. id: CVE-2024-44849 info: name: Qualitor = 8.24 - Remote Code Execution author: s4e-io severity: critical description: | Qualitor up to 8.24 is vulnerable to Remote Code Execution RCE via...

9.8CVSS6.2AI score0.46301EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday151 views

User Profile Builder < 3.11.8 - File Upload

The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP. id: CVE-2024-6366 info: name: User Profile Builder 3.11.8 - File Upload author: s4e-io severity: high...

9.1CVSS6.1AI score0.28993EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday143 views

Likeshop < 2.5.7.20210311 - Arbitrary File Upload

A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an...

9.8CVSS6.8AI score0.70688EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday169 views

Camaleon CMS < 2.8.1 Arbitrary File Write to RCE

An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on depending on the permissions of the underlying filesystem. E.g. This can lead to a remote...

9.9CVSS6.5AI score0.35461EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday3323 views

Apache httpd <=2.4.29 - Arbitrary File Upload

Apache httpd 2.4.0 to 2.4.29 is susceptible to arbitrary file upload vulnerabilities via the expression specified in , which could match '$' to a newline character in a malicious filename rather than matching only the end of the filename. This could be exploited in environments where uploads of...

8.1CVSS6.7AI score0.86006EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday26 views

Joomla! JCE extension < 2.9.99.5 unauthenticated RCE

Joomla JCE editor extension contains an unrestricted file upload vulnerability caused by allowing unauthenticated users to create new editor profiles, letting attackers upload and execute PHP code remotely, exploit requires no authentication. id: CVE-2026-48907 info: name: Joomla! JCE extension...

10CVSS7.2AI score0.80425EPSS
Exploits19References4
Nuclei
Nuclei
added yesterday20 views

WPvivid Backup & Migration <= 0.9.123 - Arbitrary File Upload

WPvivid Backup & Migration plugin for WordPress = 0.9.123 contains an unauthenticated arbitrary file upload vulnerability caused by improper error handling in RSA decryption and lack of path sanitization, letting unauthenticated attackers upload arbitrary PHP files and achieve remote code executi...

9.8CVSS7.5AI score0.32714EPSS
Exploits13References4
Nuclei
Nuclei
added yesterday45 views

Ninja Forms File Uploads <= 3.3.26 - Arbitrary File Upload

Ninja Forms File Uploads plugin for WordPress versions up to and including 3.3.26 is vulnerable to unauthenticated arbitrary file upload which could lead to remote code execution. id: CVE-2026-0740 info: name: Ninja Forms File Uploads = 3.3.26 - Arbitrary File Upload author: whattheslime severity...

9.8CVSS7.2AI score0.54254EPSS
Exploits8References2
Nuclei
Nuclei
added yesterday19 views

Kaseya VSA < 9.5.7 - Arbitrary File Upload to Remote Code Execution

An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management RMM 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leadin...

10CVSS7.1AI score0.60348EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday12 views

Bonita Web 2021.2 - Authentication/Authorization Bypass

Bonita Web 2021.2 contains an authentication/authorization bypass vulnerability caused by an overly broad exclude pattern in RestAPIAuthorizationFilter, allowing unauthenticated users to access privileged API endpoints by appending ;i18ntranslation or /../i18ntranslation/ to the URL. id:...

9.8CVSS7AI score0.56222EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday31 views

Monsta FTP <= 2.11.2 - Unauthenticated Remote Code Execution

Monsta FTP = 2.11 contains an unrestricted file upload vulnerability caused by lack of authentication on file uploads, letting unauthenticated attackers execute arbitrary code by uploading crafted files. id: CVE-2025-34299 info: name: Monsta FTP = 2.11.2 - Unauthenticated Remote Code Execution...

9.8CVSS7.3AI score0.72667EPSS
Exploits6References3
Rows per page
Query Builder